Security

Definition:

The security of University assets and records includes three types of safeguards; Administrative, Physical and Technical:

Administrative security:

This focuses on the departmental and University processes put in place to protect assets and records. This includes the above mentioned processes of authorization and reconciliation.

Physical security:

This is the protection of physical records and assets from loss by theft or damage.

Technical security:

This is the protection of electronic records from loss by theft, damage, or loss in transport.

Purpose:

Assets and records should be kept secure at all times to prevent unauthorized access, loss or damage. The security of assets and records is essential for ongoing operations, accuracy of information, privacy of personal information included in some records and in many cases is a state or federal law.

Concepts and Best Practices

Key Concept

Best Practice

Designate a point person

Designating a point person for all areas or individually for the 3 types of security provides an established responsibility and accountability for proper security procedures.

Administrative organization

Keep an up-to-date organizational chart that defines the reporting relationships as well as responsibilities, including back-up responsibilities, regarding internal controls within the unit.

Document such processes as opening and distributing mail, administration of keys, access to documents and other administrative controls.

Access to electronic records:

Limit access to records and assets to those who have been authorized and have a business need for them.

Limit access to records and assets to those who have been authorized and have a business need for them.

Do not allow electronic records to be downloaded to mobile workstations and transported outside of the office.

Keep important records in lockable, fireproof storage

Employee Turnover:

Limit access to records and assets to those who have been authorized and have a business need for them.

Develop a checklist for removing access to records upon separation of an employee or upon transfer out of the unit. Develop a process and assign a point person the responsibility of administering the process for deleting access to records.

Passwords:

Have a prescribed standard for departmental passwords. Make them complex and enforce a policy for changing passwords periodically.